Thanks for posting this @Zachary_Trabookis!
I followed these steps on my Juniper sandbox which is an LTI provider. (Note: had to modify lms.envs.production
to add the additional settings instead of lms.envs.private
, since it’s not a devstack.)
EDIT Please disregard the notes below. These issues were resolved by creating a brand new session.
I didn’t use SESSION_COOKIE_SAMESITE_KEYS
, just SESSION_COOKIE_SAMESITE_FORCE_ALL
and thought that would be enough, but the sessionid
cookie doesn’t get marked SameSite: None
. All the others did though:
Name | Secure | SameSite |
---|---|---|
JSESSIONID | ✓ | None |
csrftoken | ✓ | None |
edx-jwt-cookie-header-payload | ✓ | None |
edx-jwt-cookie-signature | ✓ | None |
edx-user-info | ✓ | None |
edxloggedin | ✓ | None |
experiments_is_enterprise | ✓ | None |
sessionid | ✓ |
However, when using LTI to access the provider sandbox, only one cookie was marked SameSite: None
, and the rest were not. LTI is using OAuth to authenticate, so maybe there’s something different there with how cookies get created?
Name | Secure | SameSite |
---|---|---|
JSESSIONID | ✓ | None |
csrftoken | ✓ | |
sessionid | ✓ |
I haven’t dug into the code to see why the this might be.
EDIT Replacing SESSION_COOKIE_SAMESITE_FORCE_ALL
with this setting didn’t make a difference to the sessionid
or csrftoken
cookies:
SESSION_COOKIE_SAMESITE_KEYS = ['JSESSIONID', 'csrftoken', 'edx-jwt-cookie-header-payload', 'edx-jwt-cookie-signature', 'edx-user-info', 'edxloggedin', 'experiments_is_enterprise', 'sessionid']